Pexip Infinity configuration for an on-premises Skype for Business environment

This topic describes the configuration required on the Pexip platform to integrate Pexip Infinity with an on-premises Skype for Business / Lync* environment.

In this type of integration the Pexip Infinity Conferencing Nodes typically will reside on a private IP network. Conferencing Nodes do not need to use a TURN server for media routing to remote or federated SfB/Lync clients, providing they can reach the public-facing interface of the SfB/Lync Edge server. However, if the Conferencing Nodes are behind a NAT then they do need access to a STUN/TURN server so that each node can discover its NAT address. In Skype for Business / Lync deployments it is essential that a Conferencing Node can discover its NAT address.

* Note that where this documentation refers to "SfB/Lync", it represents both Microsoft Skype for Business and Lync unless stated otherwise.

Prerequisites

The deployment process assumes that the Management Node and the Conferencing Nodes have already been configured with basic settings, such as an IP address and NTP server, and that the Conferencing Nodes have already been configured with one or more Virtual Meeting Room aliases for the SIP domain to be used, such as meet@vc.example.com.

Providing all of the Conferencing Nodes in the application pool are all deployed in the same system location e.g. Europe, no additional clustering configuration is required on the Pexip platform.

Configuration summary

The Pexip Infinity configuration consists of the following steps, each described in more detail in the following sections:

  1. Assigning a server certificate to the Conferencing Nodes.
  2. Configuring a Skype for Business / Lync server per location.
  3. Configuring DNS records and DNS servers.
  4. Setting the Configured FQDN for the Conferencing Nodes.
  5. Configuring the Pexip Infinity domain.
  6. Configuring a STUN/TURN server per location (optional, but required for supporting external/federated SfB/Lync clients).

After completing the Pexip Infinity configuration, you must also perform the Skype for Business server configuration for an on-premises deployment.

Assigning a server certificate to the Pexip Infinity Conferencing Nodes

When integrating Pexip Infinity with an on-prem SfB/Lync environment, every Conferencing Node must be configured with a TLS server certificate which matches their respective FQDNs (Fully Qualified Domain Name), and the SfB/Lync servers must trust this certificate. Server certificates are typically issued by a Certificate Authority (CA) within the SfB/Lync environment itself (normally this will be the CA which was used to provide the SfB/Lync servers themselves with server certificates).

For more information about creating certificate signing requests, see Certificate creation and requirements for Skype for Business integrations.

Certificate requirements

In our example deployment, any of the Conferencing Nodes may communicate with the SfB/Lync environment. Calls from SfB/Lync to Pexip Infinity are routed from the FEP to any of the Conferencing Nodes in the application pool, and outbound calls from Pexip Infinity to SfB/Lync may be initiated by any Conferencing Node. To ensure that the SfB/Lync environment trusts these Conferencing Nodes, a certificate that is trusted by the SfB/Lync servers must be assigned to every node.

We recommend that you generate and use a single SAN certificate that encompasses all of the Conferencing Nodes in the application pool.

In the certificate:

  • The Subject name (commonName attribute) must be the Trusted Application Pool FQDN (such as confpool-eu.vc.example.com in our examples).
  • The Subject Alternative Name (altNames attribute) entries must include the Trusted Application Pool FQDN (i.e. a repeat of the Subject name), plus the FQDNs of all of the nodes in the pool that are involved in signaling.
  • Assign the same certificate to all of the enterprise nodes that are involved in call signaling.

Therefore, in our example, the Subject name (commonName) and SAN (altNames) sections for the certificate to be installed on every Conferencing Node would be configured as:

commonName = confpool-eu.vc.example.com
altNames = conf01.vc.example.com, conf02.vc.example.com, conf03.vc.example.com, confpool-eu.vc.example.com

See Certificate and DNS examples for an on-premises integration with Skype for Business for more information about synchronizing your DNS records and certificate names.

Assigning the certificate to Conferencing Nodes

To assign a server certificate and private key to one or more Conferencing Nodes:

  1. From the Management Node, go to Certificates > TLS certificates and select Add TLS certificate.
  2. Copy-paste the TLS certificate and its associated Private key into the relevant text boxes, or alternatively use the select the file links to upload the certificate and private key files.
  3. In the Nodes section, from the Available Nodes list, select every Conferencing Node in the application pool (conf01.vc.example.com, conf02.vc.example.com and conf03.vc.example.com in our example), and move them into the Chosen Nodes list.
  4. Select Save. The certificate and private key will be pushed automatically to the selected Conferencing Nodes.

Uploading trusted CA certificates

If the server certificate has been issued by one or more intermediate CAs (Certificate Authorities), these intermediate certificates must be uploaded. You can upload them as a single-file bundle by going to Platform > Trusted CA certificates and selecting Import.

See Certificates issued by intermediate CAs for more information.

Configuring a Skype for Business / Lync server per location

To allow internal Conferencing Nodes to call out to SfB/Lync clients you must define the target SfB/Lync servers. In our example deployment, a SfB/Lync Front End Pool has been deployed in Europe with the pool address fepool-eu.example.com.

To instruct the Conferencing Nodes in the Europe system location to use the Europe-based SfB/Lync Front End Pool, you must first define the SfB/Lync Front End Pool on the Management Node, and then link it to the Europe location, as follows:

  1. Go to Call control > Lync / Skype for Business servers and select Add Lync / Skype for Business server:

  2. Complete the fields and select Save.

    In the example above, the Europe SfB/Lync server has been defined by its pool name FQDN fepool-eu.example.com.

    Note that the SfB/Lync server can be a Front End Server/Processor or a Director; it cannot be an Edge Server.

  3. To assign the new SfB/Lync server to the appropriate location, go to Platform > Locations and select the Europe location.
  4. In the Lync / Skype for Business server field, select the Europe SfB/Lync server from the drop-down list, and then select Save.

Configuring DNS records and DNS servers

You need to ensure the following DNS records for your Conferencing Nodes have been set up, and that Pexip Infinity is configured to use internal DNS servers.

DNS A-records

In DNS, ensure that the following records are configured:

  • An A-record for each Conferencing Node. In our example this is 3 records with host names of conf01, conf02 and conf03, and they each point to the individual IP address of the node.
  • Another A-record per Conferencing Node. This time the host name of every record should be confpool-eu.vc.example.com (the application pool name of the Conferencing Nodes), and again associate it with the IP address of each Conferencing Node. This step is not required for Skype for Business servers, but is necessary for Lync servers as it allows Lync to spread the traffic across all of the Conferencing Nodes.

For example (change the hostnames and IP addresses as appropriate for your actual deployment):

conf01.vc.example.com.         86400 IN A 10.44.0.10
conf02.vc.example.com.         86400 IN A 10.44.0.11
conf03.vc.example.com.         86400 IN A 10.44.0.12
confpool-eu.vc.example.com.    86400 IN A 10.44.0.10  (only required for Lync deployments)
confpool-eu.vc.example.com.    86400 IN A 10.44.0.11  (only required for Lync deployments)
confpool-eu.vc.example.com.    86400 IN A 10.44.0.12  (only required for Lync deployments)

See Certificate and DNS examples for an on-premises integration with Skype for Business for more information about synchronizing your DNS records and certificate names.

Pexip Infinity DNS server configuration

Ensure that Pexip Infinity is configured to use DNS servers on the inside of the network (System > DNS servers, and then assigned to each location via Platform > Locations). This ensures that Pexip Infinity can resolve internal hostnames, which is mandatory for communicating with SfB/Lync on-premises.

If you omit this step and use an external DNS server instead, calls might drop after a few minutes when Pexip Infinity verifies that the remote side is still responding properly. This is because an external DNS server cannot resolve the internal hostname of the SfB/Lync FEPs.

Setting the Configured FQDN for every Conferencing Node

The Configured FQDN setting for each Conferencing Node must be configured to reflect its DNS FQDN.

This is done on the Management Node, by going to Platform > Conferencing Nodes, choosing each node in turn and populating the Configured FQDN field.

The example above shows the Configured FQDN for the conf01 Conferencing Node, which is set to conf01.vc.example.com.

For any Pexip Infinity and SfB/Lync integration, you must ensure that each Conferencing Node is configured with its respective DNS hostname as the Configured FQDN. Pexip Infinity will present this as being the server name, and it must match the name on the certificate installed on the node. Each Conferencing Node must have a unique Configured FQDN.

Configuring the Pexip Infinity domain

You must specify the name of the SIP domain that is routed from SfB/Lync to Pexip Infinity for this deployment. This domain is inserted into the From header in outbound calls from Pexip Infinity to SfB/Lync, and ensures that SfB/Lync can route messages back to Pexip Infinity when, for example, initiating content sharing.

You specify this by going to Platform > Global settings > Connectivity and configuring the Pexip Infinity domain setting:

This must be set to the same SIP domain as used by the static route from SfB/Lync to Pexip Infinity, which is vc.example.com in our example (see Creating a static SIP domain route and associating this route with a trusted application).

Configuring a STUN/TURN server per location (for supporting external/federated SfB/Lync clients)

Conferencing Nodes do not need to use a TURN server for media routing to remote or federated SfB/Lync clients, providing they can reach the public-facing interface of the SfB/Lync Edge server.

However, if there is NAT between the Conferencing Nodes and the public-facing interface of the SfB/Lync Edge server, those nodes need to use STUN so that they can discover and signal their public NAT address to the SfB/Lync client (so that it can create a TURN permission on the SfB/Lync Edge server for the node's reflexive address). When required, this STUN/TURN server is typically deployed outside of the enterprise firewall or in a public DMZ.

You can either configure Pexip Infinity with either the details of a TURN server (which can act as a STUN server) or with the details of a dedicated STUN server (which it will use instead of the TURN server).

Using a TURN server

To instruct the Conferencing Nodes to use a TURN server (which in our example has the IP address 203.0.113.5), we must first define the TURN server on the Management Node, and then link it to the Europe location, as follows:

  1. Go to Call control > TURN servers and select Add TURN server:

  2. Complete the fields and select Save.
    In the example above, the TURN server has been defined by its IP address and Port, in addition to the Username and Password for our TURN user (which has already been created on the TURN server).
  3. Assign this TURN server to the appropriate location: go to Platform > Locations and select the Europe location.
  4. In the TURN server field, select the Europe TURN server from the drop-down list, and then select Save.

Using a STUN server

  1. Go to Call control > STUN servers and select Add STUN server:

  2. Complete the fields and select Save.
  3. Assign this STUN server to the appropriate location: go to Platform > Locations and select the Europe location.
  4. In the STUN server field, select the Europe STUN server from the drop-down list, and then select Save.